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Introduction 


The Information Commissioner is seeking feedback on her draft code of 
practice Age appropriate design - a code of practice for online services 
likely to be accessed by children (the code). 


The code will provide guidance on the design standards that the 
Commissioner will expect providers of online ‘Information Society 
Services’ (ISS), which process personal data and are likely to be accessed 
by children, to meet. 


The code is now out for public consultation and will remain open until 31 
May 2019. The Information Commissioner welcomes feedback on the 
specific questions set out below. 


Please send us your comments by 31 May 2019. 


Download this document and email to: 


ageappropriatedesign@ico.org.uk 


Print off this document and post to: 
Age Appropriate Design code consultation 
Policy Engagement Department 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation please 
telephone 0303 123 1113 and ask to speak to the Policy 
Engagement Department about the Age Appropriate Design code or 


email_ageappropriatedesign@ico.org.uk 


Privacy statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public or a parent). All responses from 
organisations and individuals responding in a professional capacity (e.g. 
academics, child development experts, sole traders, child minders, 
education professionals) will be published. We will remove email 
addresses and telephone numbers from these responses but apart from 
this, we will publish them in full. 


For more information about what we do with personal data, please see 
Our privacy notice. 


Section 1: Your views 


Q1. Is the ‘About this code’ section of the code clearly communicated? 


Yes 
If NO, then please provide your reasons for this view. 


Q2. Is the ‘Services covered by this code’ section of the code clearly 
communicated? 


Yes 
If NO, then please provide your reasons for this view. 


Standards of age-appropriate design 


Please provide your views on the sections of the code covering each of 
the 16 draft standards 


1. Best interests of the child: The best interests of the child should be 
a primary consideration when you design and develop online services 
likely to be accessed by a child. 


2. Age-appropriate application: Consider the age range of your 
audience and the needs of children of different ages. Apply the standards 
in this code to all users, unless you have robust age-verification 
mechanisms to distinguish adults from children. 


3. Transparency: The privacy information you provide to users, and 
other published terms, policies and community standards, must be 
concise, prominent and in clear language suited to the age of the child. 
Provide additional specific ‘bite-sized’ explanations about how you use 
personal data at the point that use is activated. 


4. Detrimental use of data: Do not use children’s personal data in ways 
that have been shown to be detrimental to their wellbeing, or that go 
against industry codes of practice, other regulatory provisions or 
Government advice. 


5. Policies and community standards: Uphold your own published 
terms, policies and community standards (including but not limited to 
privacy policies, age restriction, behaviour rules and content policies). 


6. Default settings: Settings must be ‘high privacy’ by default (unless 
you can demonstrate a compelling reason for a different default setting, 
taking account of the best interests of the child). 


7. Data minimisation: Collect and retain only the minimum amount of 
personal data necessary to provide the elements of your service in which 
a child is actively and knowingly engaged. Give children separate choices 
over which elements they wish to activate. 


8. Data sharing: Do not disclose children’s data unless you can 
demonstrate a compelling reason to do so, taking account of the best 
interests of the child. 


9. Geolocation: Switch geolocation options off by default (unless you can 
demonstrate a compelling reason for geolocation, taking account of the 
best interests of the child), and provide an obvious sign for children when 
location tracking is active. Options which make a child’s location visible to 
others must default back to off at the end of each session. 


10. Parental controls: If you provide parental controls give the child 
age appropriate information about this. If your online service allows a 
parent or carer to monitor their child’s online activity or track their 
location, provide an obvious sign to the child when they are being 
monitored. 


11. Profiling: Switch options based on profiling off by default (unless you 
can demonstrate a compelling reason for profiling, taking account of the 
best interests of the child). Only allow profiling if you have appropriate 
measures in place to protect the child from any harmful effects (in 
particular, being fed content that is detrimental to their health or 
wellbeing). 


12. Nudge techniques: Do not use nudge techniques to lead or 
encourage children to provide unnecessary personal data, weaken or turn 
off privacy protections, or extend use. 


13. Connected toys and devices: If you provide a connected toy or 
device ensure you include effective tools to enable compliance with this 
code 


14. Online tools: Provide prominent and accessible tools to help children 
exercise their data protection rights and report concerns. 


15. Data protection impact assessments: Undertake a DPIA 
specifically to assess and mitigate risks to children who are likely to 
access your service, taking into account differing ages, capacities and 
development needs. Ensure that your DPIA builds in compliance with this 
code. 


16. Governance and accountability: Ensure you have policies and 
procedures in place which demonstrate how you comply with data 
protection obligations, including data protection training for all staff 
involved in the design and development of online services likely to be 
accessed by children. Ensure that your policies, procedures and terms of 
service demonstrate compliance with the provisions of this code 


Q3. Have we communicated our expectations for this standard clearly? 
1. Best interests of the child 


No 


There is a great deal of uncertainty when the standard seems to say that 
the best interests of the child are what's best for each individual child. 
But also weighing between two competing best interests, pick the best 
one. The definition of a standard is a norm or measure in comparative 
evaluations. "Best interests of the child" do not meet this basic test. 


2. Age-appropriate application 
No 


The discussion of more "robust" age verification tools does not provide 
adequate guidance. 

3. Transparency 

No 


The industry is still not clear on how to meet the GDPR standard for 
communicating some of the complex uses of data to children--and this 
standard must assume at least literate children. There isn't consensus 
around iconography at this time. 

4. Detrimental use of data 


Yes 


Additional comments below. 


5. Policies and community standards 
Yes 


Additional comments below. 
6. Default settings 
Yes 


Additional comments below. 
7. Data minimisation 
No 


As a general principle, like with GDPR, data minimization makes sense. 
However, we are confused as to how to provide children with choices over 
what they wish to activate. 

8. Data sharing 

Yes 


Additional comments below 
9. Geolocation 


No 


Unclear whether the definition includes geofencing to respect rights and 
deliver proper translations. 

10. Parental controls 

No 


Shouldn't parents ultimately control the use of technology by their 
(minor) children? 


11. Profiling 
No 


Unclear on the scope of profile data here - does this include play analytics 
for game tuning? 


12. Nudge techniques 
No 


Not clear if nudge techniques also include "fun" activities that are 
"sticky" but may inspire players to purchase in app purchases to boost 
play. 

13. Connected toys and devices 
Yes 


If NO, then please provide your reasons for this view. 
14. Online tools 
Yes 


Additional comments below. 
15. Data protection impact assessments 
Yes 


Additional comments below. 
16. Governance and accountability 


Yes 


If NO, then please provide your reasons for this view. 


Q4. Do you have any examples that you think could be used to illustrate 
the approach we are advocating for this standard? 


1. Best interests of the child 


No 


If YES, then please provide details. 


2. Age-appropriate application 
No 


If YES, then please provide details. 
3. Transparency 
No 


If YES, then please provide details. 


4. Detrimental use of data 


No 
If YES, then please provide details. 


5. Policies and community standards 
No 


If YES, then please provide details. 
6. Default settings: 
No 


If YES, then please provide details. 
7. Data minimisation 
No 


If YES, then please provide details. 
8. Data sharing 
No 


If YES, then please provide details. 
9. Geolocation 
No 


If YES, then please provide details. 
10. Parental controls 
No 


If YES, then please provide details. 
11. Profiling 
No 


If YES, then please provide details. 
12. Nudge techniques 


No 
If YES, then please provide details. 


13. Connected toys and devices 
No 


If YES, then please provide details. 


14. Online tools 
No 


If YES, then please provide details. 


15. Data protection impact assessments 
No 


If YES, then please provide details. 
16. Governance and accountability 


No 


If YES, then please provide details. 


Q5. Do you think this standard gives rise to any unwarranted or 
unintended consequences? 


1. Best interests of the child 


Yes 


As noted above, a standard must be a reliable measure for comparison, 
and here, that measuring index is not fixed but based on each individual. 
We are concerned that this broad, unclear mandate will have a chilling 
effect on the entire industry--especially in light of the reach into 
experiences not intended or designed for kids. We are also concerned 
that defining children as under 18 for purposes of data collection is out of 
step with the rest of Europe, the GDPR and the standards we've been 
adjusting to not a very long time ago. Digital experiences are designed 
for global audiences. Not unlike with many news outlets and 
organizations in the US who, under the GDPR stopped publishing in 
Europe, we believe that one of the consequences is that publishers will 
opt not to publish entertainment experiences in the UK as the risk and 
expense is too high. 


2. Age-appropriate application 
Yes 


Designing for such a wide range of players is difficult and when not done 
just right, may turn away players who will feel the experience is not 
made for them. 


How are the "robust" age verification systems supposed to work? COPPA 
requires verifiable parental consent when an under 13's data is collected, 
but this is rarely implemented as it is too expensive to operate. Further, 
COPPA offers an exception when the collection is limited to alpha-numeric 
identifiers for purposes of support of internal operations. This is a 
workable compromise. There is still a lot of suspicion from consumers 
that age gates are collecting information when they are really trying to 
provide an appropriate level of experience. The fact is that age gates still 
cause some level of player drop by their mere existence. 


What is the consequence of players who play over a period of time and 
age up? One irony is that the industry will need to track age over time of 
the player-base, whereas now we do not. 

3. Transparency 

Yes 


See feasibility question below. 
4. Detrimental use of data 


Yes 


This is another area that could likely cause a chilling effect. We believe 
that beyond obviously detrimental uses of data, like exposing personally 
identifiable information without consent or publicly, that the standard as 
written goes beyond data use. The paragraphs on "Strategies to extend 
user engagment" do not deal with data, personal or otherwise, and are 
not well researched enough to provide adequate guidance. Where is the 
line between fun and sticky? Although we believe that there may be room 
for improvement--such improvement might better come through targeted 
recommendations or regulation of things like loot boxes. What concerns 
us is whether this bleeds over into more general practices of making 
mastery and play fun, even if this may be monitized. Again, if there's not 
a clearer line here and a solid research foundation for where that line is 
drawn, to implement this to include the user engagement strategies 
without being more narrowly tailored is to invite publishers to pull their 
experiences from the UK market out of cost and liability concerns. 


5. Policies and community standards 
No 


If YES, then please provide your reasons for this view. 


6. Default settings 
Yes 


More to say on the feasibility of this standard, but for now, the issue with 
uninteded consequences is that as a result of allowing children to change 
default settings as suggested, a publisher who implements these without 
verifiable parental consent runs the risk of violating COPPA in the US. 
Further, this feature could unintentionally invite MORE collection than 
would otherwise be necessary for a child-directed or general audience 
experience in order to implement. Finally, regular users who get their 
settings routinely set back to default will get frustrated by the experience 
and quit playing your game or visiting your website--especially if there's a 
perceived loss of game progress as a result. 

7. Data minimisation 
Yes 


Giving children choices over which data elements they wish to enable is 
confusing and may be counter productive. This does not seem to be well 
thought through. 

8. Data sharing 
Yes 


Data remediation for the cohort of users who are 16 or 17 could take 
away features these users already feel they have a right to and create 
potential claims of deceptive practices. 

9. Geolocation 
Yes 


Some privacy features rely on being able to geofence by country. Please 
carve out such an exception for legitimate features that use gross IP 
address/location to determine country will become a liablity when they've 
been designed to tailor an experience for a global audience. No issue 
with precise location being off limits without adequate consent. 

10. Parental controls 

Yes 


This seems counter intuitive. Parental controls are one of the few 
safeguards that parents have to use the ubiquitous technology kids have 
access to. 

11. Profiling 

Yes 


For the use case of a family device, or shared computer, switching this to 
default every time is counter productive. In these cases, user accounts 
are used to precisely to avoid serving inappropriate (or just irrelevant) 
content to users. The example screen shots do not really seem to speak 
to most children or their understanding and will become frustrating 
nuisances to the user experience. 


12. Nudge techniques 
Yes 


We are concerned that the concept of "extend their use" is too broad and 
may cover a fun game that also offers in-app purchases to enhance game 
play. We believe that the OFT guidelines provided a better test around 
not putting undo pressure around purchases. Reward loops, taken 
broadly, get into the core of the entire mobile gaming industry and would 
be a radical redisign with tremendous economic shocks for the industry. 
13. Connected toys and devices 

No 


If YES, then please provide your reasons for this view. 
14. Online tools 
Yes 


We struggle with the concept of giving children consent for some 
questions that may not be appropriate or valid for purposes of consent in 
other jurisdictions (e.g., in the US children cannot consent to a legal 
agreement, etc.). 

15. Data protection impact assessments 

No 


If YES, then please provide your reasons for this view. 
16. Governance and accountability 


No 


If YES, then please provide your reasons for this view. 


Q6. Do you envisage any feasibility challenges to online services 
delivering this standard? 


1. Best interests of the child 


Yes 


Please refer to the concerns expressed in question 5. 


2. Age-appropriate application 
Yes 


The manifold layers of age-grade maintenance requires a lot of initial 
re-architecting and further ongoing support. Users may have to be 
aged-up automatically, for instance. In general, adding other general 
new features or content will become that much more expensive and 
time consuming as all will be adjusted to the multiple layers of age. 
3. Transparency 


Yes 


We believe the industry is still struggling to understand how to explain 
some of the complex concepts that underlie data collection in the digital 
entertainment environment under GDPR. Ad tech is complicated and 
not a lot of adults understand it. 

4. Detrimental use of data 


No 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


5. Policies and community standards 
No 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

6. Default settings 

Yes 


This standard seems particularly challenging to implement. This will 
require a lot of mass UX testing to even get functional and it will 
potentially get deep into the architecture of mobile games and be quite 
expensive to implement. 

7. Data minimisation 

Yes 


Giving different age users different choices over which elements to 
activate is a potentially confusing experience for users and one that, at 
least for mobile games would get extremely into the weeds and be quite 
expensive and difficult to implement. There are unforseen relationships 
between each data element that users may not understand which in 
turn will lead to frustration. 

8. Data sharing 
Yes 


There will be a challenge in remediating existing data for the users 
between 16 and 18. These users may have long relied on expectations 
of operation and in removing some of this data, the consequence could 
be removing access to features these users have come to expect. 

9. Geolocation 

No 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 
10. Parental controls 


Yes 


Implementing features to alert users when parental monitoring is 
happening would seem to require a great deal more data monitoring 
and connectivity than is currently the case. 


11. Profiling 
Yes 


Building such profiling systems will be a huge lift across our entire 
portfolio of web and mobile services--we do not profile for OBA so 
creating switch options for this purpose would be of little return on 
considerable investment. 

12. Nudge techniques 

Yes 


We believe that the OFT guidelines provided a better test around not 
putting undo pressure around purchases. Reward loops, taken broadly, 
get into the core of the entire mobile gaming industry and would be a 
radical redisign with tremendous economic shocks for the industry. 
13. Connected toys and devices 

Yes 


Our challenge with smart speakers is that unlike web or mobile, as 
publishers and content creators, we are unable to know what the 
platform collects or how it handles privacy decisions that we would take 
care of to ensure compliance from a design perspective. We do not 
have that comfort now either. 

14. Online tools 
Yes 


This is a huge lift from an engineering point of view. This could take 
years to fully test and implement. 

15. Data protection impact assessments 

No 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 
16. Governance and accountability 


No 
If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


Q7. Do you think this standard requires a transition period of any longer 
than 3 months after the code come into force? 


1. Best interests of the child 


YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


2. Age-appropriate application 
Yes 


Doing this is a years-long development process that really must be on 
a go-forward basis. 

3. Transparency 

Yes 


to the extent we must now track age and profile across time, this will 
be a big lift to implement taking much longer than 3 months. 
4. Detrimental use of data 


No 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


5. Policies and community standards 
No 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

6. Default settings 

Yes 


Doing this is a years-long development process that really must be on 
a go-forward basis. For mobile this requires a complete re-architecture 
of the game loop with the addition of several more states to manage. 
There will be a lot of bugs from the unforeseen interconnections 
between data elements and settings. 

7. Data minimisation 

No 


If YES, then please provide your reasons for this view, and give an 


indication of what you think a reasonable transition period would be and 
why. 

8. Data sharing 

Yes 


For reasons stated above, it will be particularly difficult to remediate 
users who are 16 or 17. This may take a lot of testing to ensure that 
their experience isn't broken. 


9. Geolocation 
No 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

10. Parental controls 

Yes 


We do not yet know how such controls would be implemented as there 
isn't much precedence for this. Will need testing and bug fixing after 
implementation (which isn't clear how this will work). 

11. Profiling 

Yes 


If profiling includes creating new cohorts of users based on age, and if 
profiling includes collection of analytics for purposes of game play 
analysis, tuning and debugging, doing this is a years-long development 
process that really must be on a go-forward basis. 

12. Nudge techniques 

Yes 


If the requirement is to fundementally upturn the free play for ad-tech 
model of mobile or web games and entertainment, this will take far 
longer than 3 months to evolve. 

13. Connected toys and devices 

No 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

14. Online tools 

Yes 


This is completely impracticable within 3 months. This could be a whole 
startup industry model--but the industry and tools don't exist. 


15. Data protection impact assessments 
Yes 


DPIAs take longer than 3 months to prepare. If the requirement will be 
to add a large number of existing experiences that are currently "adult 
directed" to this analysis, that will be a big lift. 


16. Governance and accountability 


No 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


Q8. Do you know of any online resources that you think could be usefully 
linked to from this section of the code? 


1. Best interests of the child 


YES/NO. 
If YES, then please provide details (including links). 


2. Age-appropriate application 
YES/NO. 


If YES, then please provide details (including links). 
3. Transparency 
YES/NO. 


If YES, then please provide details (including links). 
4. Detrimental use of data 


YES/NO. 
If YES, then please provide details (including links). 


5. Policies and community standards 
YES/NO. 


If YES, then please provide details (including links). 
6. Default settings 


YES/NO. 


If YES, then please provide details (including links). 
7. Data minimisation 
YES/NO. 


If YES, then please provide details (including links). 
8. Data sharing 
YES/NO. 


If YES, then please provide details (including links). 
9. Geolocation 
YES/NO. 


If YES, then please provide details (including links). 
10. Parental controls 
YES/NO. 


If YES, then please provide details (including links). 
11. Profiling 
YES/NO. 


If YES, then please provide details (including links). 
12. Nudge techniques 
Yes 


If YES, then please provide details (including links). 
13. Connected toys and devices 
No 


If YES, then please provide details (including links). 
14. Online tools 
YES/NO. 


If YES, then please provide details (including links). 
15. Data protection impact assessments 
YES/NO. 


If YES, then please provide details (including links). 
16. Governance and accountability 


YES/NO. 


If YES, then please provide details (including links). 


Q10. Is the ‘Enforcement of this code’ section clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q11. Is the ‘Glossary’ section of the code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q12. Are there any key terms missing from the ‘Glossary’ section? 
YES/NO. 

If YES, then please provide your reasons for this view. 

Q13. Is the ‘Annex A: Age and developmental stages’ section of the 
code clearly communicated? 

YES/NO. 

If NO, then please provide your reasons for this view. 


Q14. Is there any information you think needs to be changed in the 
‘Annex A: Age and developmental stages’ section of the code? 


YES/NO. 
If YES, then please provide your reasons for this view. 


Q15. Do you know of any online resources that you think could be 
usefully linked to from the ‘Annex A: Age and developmental 
stages’ section of the code? 


YES/NO. 


If YES, then please provide details (including links). 


Q16. Is the ‘Annex B: Lawful basis for processing’ section of the 
code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q17. Is this ‘Annex C: Data Protection Impact Assessments’ 
section of the code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q18. Do you think any issues raised by the code would benefit from 
further (post publication) work, research or innovation? 


YES/NO. 


If YES, then please provide details (including links). 


Section 2: About you 


Are you: 


A body representing the views or interests of children? 


Please specify: 


A body representing the views or interests of parents? 


Please specify: 


A child development expert? 


Please specify: 


An Academic? 


Please specify: 


An individual acting in another professional capacity? 


Please specify: 


A provider of an ISS likely to be accessed by children? 


Please specify: 
Toy and Entertainment Company 

A trade association representing ISS providers? 

Please specify: L] 
An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the L] 
public or a parent)? 

An ICO employee? L] 
Other? 

Please specify: L] 


Thank you for responding to this consultation. 


We value your input. 


